TTaabbllee ooff CCoonntteennttss Overview What is Azure AD Domain Services? Is it right for you? Compare with Windows Server AD Compare with Azure AD join Features Scenarios How synchronization works Compatible third-party software Get started Task 1: configure basic settings Task 2: configure network settings Task 3: configure administrator group and enable Azure AD Domain Services Task 4: update DNS settings for virtual network Task 5: enable password synchronization How to Use Azure AD Domain Services in Azure CSP subscriptions Enable Azure AD Domain Services using PowerShell Join a managed domain Windows Server VM Windows Server VM from template CentOS CoreOS RedHat Enterprise Linux Ubuntu Server Administer a managed domain Administer a managed domain Administer DNS on a managed domain Configure secure LDAP for a managed domain Create an OU on a managed domain Administer group policy on a managed domain Select a virtual network Deploy applications Configure support for profile synchronization for SharePoint Server Configure Kerberos Constrained Delegation Deploy Azure AD Application Proxy Delete a managed domain Troubleshoot FAQs Troubleshooting guide Troubleshoot alerts Resolve mismatched tenant errors Reference Code samples Related Azure Active Directory Azure Active Directory B2C Multi-Factor Authentication Resources Azure AD feedback forum Azure Roadmap Contact us Pricing Pricing calculator Service updates Azure Active Directory (AD) Domain Services 1/9/2018 • 7 min to read • Edit Online Overview Azure Infrastructure Services enable you to deploy a wide range of computing solutions in an agile manner. With Azure Virtual Machines, you can deploy nearly instantaneously and you pay only by the minute. Using support for Windows, Linux, SQL Server, Oracle, IBM, SAP, and BizTalk, you can deploy any workload, any language, on nearly any operating system. These benefits enable you to migrate legacy applications deployed on-premises to Azure, to save on operational expenses. A key aspect of migrating on-premises applications to Azure is handling the identity needs of these applications. Directory-aware applications may rely on LDAP for read or write access to the corporate directory or rely on Windows Integrated Authentication (Kerberos or NTLM authentication) to authenticate end users. Line-of-business (LOB) applications running on Windows Server are typically deployed on domain joined machines, so they can be managed securely using Group Policy. To 'lift-and-shift' on-premises applications to the cloud, these dependencies on the corporate identity infrastructure need to be resolved. Administrators often turn to one of the following solutions to satisfy the identity needs of their applications deployed in Azure: Deploy a site-to-site VPN connection between workloads running in Azure Infrastructure Services and the corporate directory on-premises. Extend the corporate AD domain/forest infrastructure by setting up replica domain controllers using Azure virtual machines. Deploy a stand-alone domain in Azure using domain controllers deployed as Azure virtual machines. All these approaches suffer from high cost and administrative overhead. Administrators are required to deploy domain controllers using virtual machines in Azure. Additionally, they need to manage, secure, patch, monitor, backup, and troubleshoot these virtual machines. The reliance on VPN connections to the on-premises directory causes workloads deployed in Azure to be vulnerable to transient network glitches or outages. These network outages in turn result in lower uptime and reduced reliability for these applications. We designed Azure AD Domain Services to provide an easier alternative. WWaattcchh aann iinnttrroodduuccttoorryy vviiddeeoo Introducing Azure AD Domain Services Azure AD Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory. You can consume these domain services without the need for you to deploy, manage, and patch domain controllers in the cloud. Azure AD Domain Services integrates with your existing Azure AD tenant, thus making it possible for users to log in using their corporate credentials. Additionally, you can use existing groups and user accounts to secure access to resources, thus ensuring a smoother 'lift-and-shift' of on-premises resources to Azure Infrastructure Services. Azure AD Domain Services functionality works seamlessly regardless of whether your Azure AD tenant is cloud- only or synced with your on-premises Active Directory. AAzzuurree AADD DDoommaaiinn SSeerrvviicceess ffoorr cclloouudd--oonnllyy oorrggaanniizzaattiioonnss A cloud-only Azure AD tenant (often referred to as 'managed tenants') does not have any on-premises identity footprint. In other words, user accounts, their passwords, and group memberships are all native to the cloud - that is, created and managed in Azure AD. Consider for a moment that Contoso is a cloud-only Azure AD tenant. As shown in the following illustration, Contoso's administrator has configured a virtual network in Azure Infrastructure Services. Applications and server workloads are deployed in this virtual network in Azure virtual machines. Since Contoso is a cloud-only tenant, all user identities, their credentials, and group memberships are created and managed in Azure AD. Contoso's IT administrator can enable Azure AD Domain Services for their Azure AD tenant and choose to make domain services available in this virtual network. Thereafter, Azure AD Domain Services provisions a managed domain and makes it available in the virtual network. All user accounts, group memberships, and user credentials available in Contoso's Azure AD tenant are also available in this newly created domain. This feature enables users in the organization to sign in to the domain using their corporate credentials - for example, when connecting remotely to domain-joined machines via Remote Desktop. Administrators can provision access to resources in the domain using existing group memberships. Applications deployed in virtual machines on the virtual network can use features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy. A few salient aspects of the managed domain that is provisioned by Azure AD Domain Services are as follows: Contoso's IT administrator does not need to manage, patch, or monitor this domain or any domain controllers for this managed domain. There is no need to manage AD replication for this domain. User accounts, group memberships, and credentials from Contoso's Azure AD tenant are automatically available within this managed domain. Since the domain is managed by Azure AD Domain Services, Contoso's IT administrator does not have Domain Administrator or Enterprise Administrator privileges on this domain. AAzzuurree AADD DDoommaaiinn SSeerrvviicceess ffoorr hhyybbrriidd oorrggaanniizzaattiioonnss Organizations with a hybrid IT infrastructure consume a mix of cloud resources and on-premises resources. Such organizations synchronize identity information from their on-premises directory to their Azure AD tenant. As hybrid organizations look to migrate more of their on-premises applications to the cloud, especially legacy directory-aware applications, Azure AD Domain Services can be useful to them. Litware Corporation has deployed Azure AD Connect, to synchronize identity information from their on-premises directory to their Azure AD tenant. The identity information that is synchronized includes user accounts, their credential hashes for authentication (password sync) and group memberships. NNOOTTEE Password synchronization is mandatory for hybrid organizations to use Azure AD Domain Services. This requirement is because users' credentials are needed in the managed domain provided by Azure AD Domain Services, to authenticate these users via NTLM or Kerberos authentication methods. The preceding illustration shows how organizations with a hybrid IT infrastructure, such as Litware Corporation, can use Azure AD Domain Services. Litware's applications and server workloads that require domain services are deployed in a virtual network in Azure Infrastructure Services. Litware's IT administrator can enable Azure AD Domain Services for their Azure AD tenant and choose to make a managed domain available in this virtual network. Since Litware is an organization with a hybrid IT infrastructure, user accounts, groups, and credentials are synchronized to their Azure AD tenant from their on-premises directory. This feature enables users to sign in to the domain using their corporate credentials - for example, when connecting remotely to machines joined to the domain via Remote Desktop. Administrators can provision access to resources in the domain using existing group memberships. Applications deployed in virtual machines on the virtual network can use features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy. A few salient aspects of the managed domain that is provisioned by Azure AD Domain Services are as follows: The managed domain is a stand-alone domain. It is not an extension of Litware's on-premises domain. Litware's IT administrator does not need to manage, patch, or monitor domain controllers for this managed domain. There is no need to manage AD replication to this domain. User accounts, group memberships, and credentials from Litware's on-premises directory are synchronized to Azure AD via Azure AD Connect. These user accounts, group memberships, and credentials are automatically available within the managed domain. Since the domain is managed by Azure AD Domain Services, Litware's IT administrator does not have Domain Administrator or Enterprise Administrator privileges on this domain. Benefits With Azure AD Domain Services, you can enjoy the following benefits: Simple – You can satisfy the identity needs of virtual machines deployed to Azure Infrastructure services with a few simple clicks. You do not need to deploy and manage identity infrastructure in Azure or setup connectivity back to your on-premises identity infrastructure. Integrated – Azure AD Domain Services is deeply integrated with your Azure AD tenant. You can now use Azure AD as an integrated cloud-based enterprise directory that caters to the needs of both your modern applications and traditional directory-aware applications. Compatible – Azure AD Domain Services is built on the proven enterprise grade infrastructure of Windows Server Active Directory. Therefore, your applications can rely on a greater degree of compatibility with Windows Server Active Directory features. Not all features available in Windows Server AD are currently available in Azure AD Domain Services. However, available features are compatible with the corresponding Windows Server AD features you rely on in your on-premises infrastructure. The LDAP, Kerberos, NTLM, Group Policy, and domain join capabilities constitute a mature offering that has been tested and refined over various Windows Server releases. Cost-effective – With Azure AD Domain Services, you can avoid the infrastructure and management burden that is associated with managing identity infrastructure to support traditional directory-aware applications. You can move these applications to Azure Infrastructure Services and benefit from greater savings on operational expenses. Next steps LLeeaarrnn mmoorree aabboouutt AAzzuurree AADD DDoommaaiinn SSeerrvviicceess Features Deployment scenarios Find out if Azure AD Domain Services suits your use-cases Understand how Azure AD Domain Services synchronizes with your Azure AD directory GGeett ssttaarrtteedd wwiitthh AAzzuurree AADD DDoommaaiinn SSeerrvviicceess Enable Azure AD Domain Services using the Azure portal How to decide if Azure AD Domain Services is right for your use-case 12/11/2017 • 6 min to read • Edit Online With Azure AD Domain Services you can deploy your workloads in Azure Infrastructure Services, without having to worry about maintaining identity infrastructure in Azure. This managed service is different from a typical Windows Server Active Directory deployment that you deploy and administer on your own. The service is easy to deploy and delivers automated health monitoring and remediation. We are constantly evolving the service to add support for common deployment scenarios. To decide whether to use Azure AD Domain Services we recommend the following reading material: See the list of features offered by Azure AD Domain Services. Review common deployment scenarios for Azure AD Domain Services. Finally, compare Azure AD Domain Services to a do-it-yourself AD option. Compare Azure AD Domain Services to DIY AD domain in Azure The following table helps you decide between using Azure AD Domain Services and managing your own AD infrastructure in Azure. FEATURE AZURE AD DOMAIN SERVICES 'DO-IT-YOURSELF' AD IN AZURE VMS Managed service ✓✓ ✕✕ Secure deployments ✓✓ Administrator needs to secure the deployment. DNS server ✓✓ (managed service) ✓✓ Domain or Enterprise administrator ✕✕ ✓✓ privileges Domain join ✓✓ ✓✓ Domain authentication using NTLM ✓✓ ✓✓ and Kerberos Kerberos constrained delegation resource-based resource-based & account-based Custom OU structure ✓✓ ✓✓ Schema extensions ✕✕ ✓✓ AD domain/forest trusts ✕✕ ✓✓ LDAP read ✓✓ ✓✓ Secure LDAP (LDAPS) ✓✓ ✓✓ FEATURE AZURE AD DOMAIN SERVICES 'DO-IT-YOURSELF' AD IN AZURE VMS LDAP write ✕✕ ✓✓ Group Policy ✓✓ ✓✓ Geo-distributed deployments ✕✕ ✓✓ MMaannaaggeedd sseerrvviiccee Azure AD Domain Services domains are managed by Microsoft. You do not have to worry about patching, updates, monitoring, backups, and ensuring availability of your domain. These management tasks are offered as a service by Microsoft Azure for your managed domains. SSeeccuurree ddeeppllooyymmeennttss The managed domain is securely locked down as per Microsoft’s security recommendations for AD deployments. These recommendations stem from the AD product team's decades of experience engineering and supporting AD deployments. For do-it-yourself deployments, you need to take specific deployment steps to lock down/secure your deployment. DDNNSS sseerrvveerr An Azure AD Domain Services managed domain includes managed DNS services. Members of the 'AAD DC Administrators' group can manage DNS on the managed domain. Members of this group are given full DNS Administration privileges for the managed domain. DNS management can be performed using the 'DNS Administration console' included in the Remote Server Administration Tools (RSAT) package. More information DDoommaaiinn oorr EEnntteerrpprriissee AAddmmiinniissttrraattoorr pprriivviilleeggeess These elevated privileges are not offered on an AAD-DS managed domain. Applications that require these elevated privileges cannot be deployed against AAD-DS managed domains. A smaller subset of administrative privileges is available to members of the delegated administration group called ‘AAD DC Administrators’. These privileges include privileges to configure DNS, configure group policy, gain administrator privileges on domain-joined machines etc. DDoommaaiinn jjooiinn You can join virtual machines to the managed domain similar to how you join computers to an AD domain. DDoommaaiinn aauutthheennttiiccaattiioonn uussiinngg NNTTLLMM aanndd KKeerrbbeerrooss With Azure AD Domain Services, you can use your corporate credentials to authenticate with the managed domain. Credentials are kept in sync with your Azure AD tenant. For synced tenants, Azure AD Connect ensures that changes to credentials made on-premises are synchronized to Azure AD. With a do-it-yourself domain setup, you may need to set up an AD domain trust with your on-premises AD for users to authenticate with their corporate credentials. Alternately, you may need to set up AD replication to ensure that user passwords synchronize to your Azure domain controller virtual machines. KKeerrbbeerrooss ccoonnssttrraaiinneedd ddeelleeggaattiioonn You do not have 'Domain Administrator' privileges on an Active Directory Domain Services managed domain. Therefore, you cannot configure account-based (traditional) Kerberos constrained delegation. However, you can configure the more secure resource-based constrained delegation. More information CCuussttoomm OOUU ssttrruuccttuurree Members of the 'AAD DC Administrators' group can create custom OUs within the managed domain. Users who create custom OUs are granted full administrative privileges over the OU. More information SScchheemmaa eexxtteennssiioonnss You cannot extend the base schema of an Azure AD Domain Services managed domain. Therefore, applications that rely on extensions to AD schema (for example, new attributes under the user object) cannot be lifted and shifted to AAD-DS domains. AADD DDoommaaiinn oorr FFoorreesstt TTrruussttss Managed domains cannot be configured to set up trust relationships (inbound/outbound) with other domains. Therefore, resource forest deployment scenarios cannot use Azure AD Domain Services. Similarly, deployments where you prefer not to synchronize passwords to Azure AD cannot use Azure AD Domain Services. LLDDAAPP RReeaadd The managed domain supports LDAP read workloads. Therefore you can deploy applications that perform LDAP read operations against the managed domain. SSeeccuurree LLDDAAPP You can configure Azure AD Domain Services to provide secure LDAP access to your managed domain, including over the internet. More information LLDDAAPP WWrriittee The managed domain is read-only for user objects. Therefore, applications that perform LDAP write operations against attributes of the user object do not work in a managed domain. Additionally, user passwords cannot be changed from within the managed domain. Another example would be modification of group memberships or group attributes within the managed domain, which is not permitted. However, any changes to user attributes or passwords made in Azure AD (via PowerShell/Azure portal) or on-premises AD are synchronized to the AAD-DS managed domain. GGrroouupp ppoolliiccyy There is a built-in GPO each for the "AADDC Computers" and "AADDC Users" containers. You can customize these built-in GPOs to configure group policy. Members of the 'AAD DC Administrators' group can also create custom GPOs and link them to existing OUs (including custom OUs). More information GGeeoo--ddiissppeerrsseedd ddeeppllooyymmeennttss Azure AD Domain Services managed domains are available in a single virtual network in Azure. For scenarios that require domain controllers to be available in multiple Azure regions across the world, setting up domain controllers in Azure IaaS VMs might be the better alternative. 'Do-it-yourself' (DIY) AD deployment options You may have deployment use-cases where you need some of the capabilities offered by a Windows Server AD installation. In these cases, consider one of the following do-it-yourself (DIY) options: Standalone cloud domain: You can set up a standalone ‘cloud domain’ using Azure virtual machines that have been configured as domain controllers. This infrastructure does not integrate with your on-premises AD environment. This option would require a different set of ‘cloud credentials’ to login/administer VMs in the cloud. Resource forest deployment: You can set up a domain in the resource forest topology, using Azure virtual machines configured as domain controllers. Next, you can configure an AD trust relationship with your on- premises AD environment. You can domain-join computers (Azure VMs) to this resource forest in the cloud. User authentication happens over either a VPN/ExpressRoute connection to your on-premises directory. Extend your on-premises domain to Azure: You can connect an Azure virtual network to your on-premises network using a VPN/ExpressRoute connection. This setup enables Azure VMs to be joined to your on-premises AD. Another alternative is to promote replica domain controllers of your on-premises domain in Azure as a VM. You can then set it up to replicate over a VPN/ExpressRoute connection to your on-premises directory. This deployment mode effectively extends your on-premises domain to Azure. NNOOTTEE You may determine that a DIY option is better suited for your deployment use-cases. Consider sharing feedback to help us understand what features would help you chose Azure AD Domain Services in the future. This feedback helps us evolve the service to better suit your deployment needs and use-cases. We have published guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines to help make DIY installations easier. Related Content Features - Azure AD Domain Services Deployment scenarios - Azure AD Domain Services Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines